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Abstract 

This note analyses one of the existing space efficient secret sharing schemes and sug- 
gests vulnerabilities in its design. We observe that the said algorithm fails for certain 
choices of the set of secrets and there is no reason for preferring this particular scheme 
over alternative schemes. The paper also elaborates the adoption of a scheme pro- 
posed by Hugo Krawczyk as an extension of Shamir's scheme, for a set of secrets. 
Such an implementation is space optimal and works for all choices of secrets. We also 
propose two new methods of attack which are valid under certain assumptions and ob- 
serve that it is the elimination of random values that facilitates these kinds of attacks. 
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1 Introduction 

At times, we come across such situations wherein we want to share a secret among 
a set of people in such a way that if more than a particular number of people from 
that set come together, the secret could be reconstructed. However, any number of 
people less than that particular number, albeit from the same set of people, should 
not be able to learn anything about the secret. Such a scheme is called a threshold 
secret sharing scheme. If the size of the whole set of people is n and the threshold 
is k, we call that scheme a {k, n) threshold secret sharing scheme. In such a scheme, 
n shares are generated and distributed among the people, any k of them enough for 
reconstruction of the original secret while any A; — 1 or less will not be able to recover 
the secret. We might also come across cases where we have a set of secrets rather 
than a single piece of secret to be shared among a set of people. This set of secrets 
contains elements which may or may not be distinct. 

In a (/c, n) secret sharing scheme by Shamir [Ij, there results an n-fold increase 
in the total storage requirement. Further, in cases where k secrets have to be shared 
among n individuals for a (A;, n) scheme, the storage requirement explodes to k.n 
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times the original. One of the aheady proposed schemes [2] which claims to be space 
efficient, however, was found to compromise usability for efficiency, without really 
achieving efficiency. In this paper, we describe the vulnerabilities in its design and 
offer a better solution which overcomes these drawbacks. 

2 Review of existing scheme 

The scheme in ^ works in the following manner: 

Consider a polynomial function y = q{x) of degree fc — I, from Zp to Zp. The 
secrets sq, si, . . . , s^-i are treated as y values with x = 0, 1, . . . , A; — 1. Then, they are 
interpolated to form a k — 1 degree polynomial and the value of q{x) at n different 
X are calculated, where x ^ 0,1, . . . , k — 1. Each of the n values thus obtained, along 
with the corresponding x value is a share. Note that the number of secrets, k is the 
same as the threshold value k in this particular (k, n) scheme. 

A number of problems identified with this scheme follows: 

1. It shares k secrets among n people such that any k of them can reconstruct the 
secret. Thus the threshold k has to be chosen to be equal to the number of 
secrets to be shared. Thus, for sharing k secrets (for which the order of secrets 
matters as well as for which it doesn't) in an (m, n) scheme, where m is the 
threshold, m > k, the scheme is insufficient. Clearly, it is undesirable that the 
number of secrets dictates the threshold to be used. 

2. The scheme cannot be used to implement a {k, n) scheme when the k secrets 
to be distributed are inherently generated from a polynomial of order less than 
k — 1. This may be demonstrated using an example. 

Let So, si, S2 and S3 be four secrets in a finite field Zp to be shared in a (4, n) 
scheme. If sq = 2, si = 6, S2 = 12, S3 = 20, and p = 31, the scheme expects 
a cubic polynomial to be the result of interpolation. However, the polynomial 
resulting out of interpolation happens to be + 3x + 2, which is quadratic. 
If the shares are generated from this polynomial, it requires only 3 people for 
reconstruction; thereby a (4, n) scheme could not be implemented. 

One solution to this problem appears to be changing the order of secrets or 
changing the indices i's of Sj. However it costs a round of interpolation because 
it is impossible to guess such a relation between the seemingly innocent secrets 
without interpolating. Besides, changing the order may not always be feasible 
(for example, when these secrets are pieces of a larger secret) and changing the 
indices may not always work. 

3. The scheme does not work if all of the secrets to be shared are the same. This 
case is quite possible; when the k secrets are part of a large secret like it is 
mentioned in p]. But, for the scheme to work, there should be at least one 
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Si 7^ Sj among all Sj, Sj to be shared. This is by definition of interpolation. For 
successful interpolation over a finite field, we need at least two distinct values. 

For example, if we want to share 3 secrets, all of them equal to 2, taken from a 
finite field Zp, p = 3. Then, sq = 2, si = 2, S2 = 2 and p = 3. Interpolation is 
performed as follows: 

qo{x) = ^.^ = 2x^ + 1. 

qi{x) = ^.^ = 2x^ + 2x. 

q2{x) = ^.^ = 2x^ + x. 

Now, q{x) = So.qo{x) + si.qi{x) + 52.^2(2;). 

=^ q{x) = 2.{qo{x) + qi{x) + ^2(2;)). 

=^ q{x) = 2. 

Thus, we end up with a constant polynomial. The scheme needs a quadratic 
polynomial for implementing a (3, n) scheme and hence does not work in such 
cases. It could be easily seen that k secrets could be chosen all of them being 
the same, from a field Zp in p ways. There is a total of p^ ways by which any 
k secrets could be chosen from Zp (the k secrets may or may not be distinct). 
The method in ^ does not work in any of the p cases out of the p^ cases possible. 

4. The percentage of cases for which the method in [2] fails may be calculated as 
follows: Here we have assumed that the order of secrets is important, i.e., a set 
of secrets, say, {0, 1, 1, 2} is different from {0, 1, 2, 1}. 

In general, there are p^~^ cases in which the k shares are generated from poly- 
nomials of order less than k — \. This includes the cases in which all the secrets 
are the same. The count is obtained by the following argument: 

We need to find the number of such instances where the secrets sq, si, . . . , Sfc-i 
are generated from polynomials of order strictly less than k — \. Let the polyno- 
mial be named f{x). Note that all operations are performed modulo p. Thus, 

f{x) = aj^^ix^~^ -|- . . . -|- a2X^ -|- oix -|- oq; a^-i = 0. 

Now, the secrets are the values of f{x) at different values ofx,0<a;<A; — 1. 

so = /(0) = + ... + + + ao, 
si = /(I) = ak-i + . . . + a2 + ai + ao, 

Sk-i = f{k - 1) = ak_i{k - + . . . a2{k - if + ai{k - 1) + oq. 
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In matrix form, this looks like, 




1 

2k-i 




1 



(fc-1) 



fc-i 









So 




ak-2 




Sl 




ai 




Sk-2 




ao 







Let us denote the above matrices respectively as M, A and B. Thus, M -A = B. 
Now, the matrix M is the Vandermonde matrix of order k and is essentially 
invertible [1]. Furthermore, even under modulo p, this is true since the deter- 
minant of M is not divisible by p [5]. Therefore, we can write, A = M'^ ■ B. 



ak-i 




So 


ak-2 




Sl 




= M-i . 




ai 




Sk-2 









If mi,m2, • • • are the elements of first row of M , then, since ak-i = 0, 
we have, 

moSQ + misi + . . . + ruk-iSk-i = 0. 

Here, we have {k — 1) ways to choose the secrets sq, . . . , Sk-2- Prom the above 
equation, the k-th secret, Sk-i has to be the negative of the sum of the rest of 
the secrets mod p. Thus, the resulting number of choices for the set of secrets 
is p^~^, considering that the same set of numbers taken in a different order is 
treated as a different set of secrets. 

This count may be obtained by an alternative approach as well (We thank the 
author of [2] for this argument). 

The k secrets being generated from a polynomial of order less than k — 1 occurs 
in the following manner. The polynomial constructed out of the remaining k — 1 
secrets passes through the value of the k-th. secret Sk-i at x = k — 1. i.e., the set 
we consider for interpolation is an oversampling of a lower degree polynomial. 
Now, having chosen k — 1 secrets from a finite field Zp, the k-th secret Sk-i 
could be just one of the possible p choices. This is because Sk-i is treated as 
the y value at x = k — 1. The polynomial constructed out of the remaining 
k — 1 secrets passes through exactly one point corresponding to {k — l,Sk-i)- 
However, the k — 1 secrets could be chosen from Tip in p^~^ ways. This value 
multiplied with the number of choices for the k-th secret Sk-i (which is equal 
to 1) gives p^~^ cases in which the method fails. 
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Thus, there are p^~^ choices of secrets out of the p'' choices possible which yield 
polynomials of degree less than k — 1 upon interpolation, thereby leaving us 
unable to implement a {k, n) scheme. 

pk-i 

Percentage of failure = — r— • 100 = WO/p. (1) 

5. It is mentioned in [2\ that the primes chosen are of the order of 1024 bits. Then, 
even for small k, there is a large number of choices of secrets which could not 
be implemented using the scheme. For large values of p, the failure percentage 
is small as indicated by the formula. However, since the failure rate is not zero, 
it is absolutely necessary to verify whether for a particular set of secrets the 
method works or not. 

For example, for k = 3 and p of the order of 1024 bits, number of cases for 
which the method fails, / = p^^-^. / is of the order of 2^024 21024 ^ 22048, xhe 
number of cases for which the scheme in p] fails is of the order of 2048 bits 
for a simple A; = 3. i.e., there are about 2^048 choices of a set of 3 secrets for 
which the scheme does not work (The number 2^048 nearly 600 digits long) 
although this is only a very small percentage of the possible set of secrets. The 
problem lies in the fact that it is impossible to know beforehand whether or 
not the method could be used for a particular {k, n) scheme for a given set of 
secrets. 

3 Definitions 

Borrowing from [3j, blow up factor is defined in various cases as follows. 

Definition 1. Blow-up factor (secret sharing) 

_ Total size of shares 

~ Total size of secrets encoded by the shares 

_ Number of shares . Size of a share 
~ Total size of original secrets 

Definition 2. Blow-up factor (conventional secret sharing) 

_ Number of shares . Size of a share 
Total size of original secrets 

_ n.d 

~ d 

Definition 3. Blow-up factor (Space optimal secret sharing) 

Such a scheme is one with a blow up factor of n/fc, where 2 < k < n. This is because 
for a space optimal secret sharing scheme. 
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Number of shares . Size of a share 
Total size of original secrets 

n.d 

~ k.d 

_ n 
- 1 

4 A better solution 

A scheme with the following properties is desirable: 

• A space optimal secret sharing algorithm for k secrets in an (m, n) scheme, 
m > k. i.e., it does not demand that the threshold be chosen to be equal to the 
number of secrets. 

• A scheme that allows for repetition of secrets and works when the order of 
secrets matters as well as when it doesn't. 

• An implementation friendly scheme where the need for random values is com- 
pletely eliminated or minimized in certain cases. 

Krawczyk's algorithm 

Krawczyk outlines an algorithm in [6] for information dispersal. The same method 
when used for sharing a set of secrets does not have any of the drawbacks the method 
in [2] has and is space optimal as well. Let us first consider the case of k secrets to 
be shared among n people in a {k, n) scheme. 

Algorithm: 

1. Construct a polynomial q{x) in such a way that the secrets are the coefficients 
of powers of x. If sq, si, S2,. . . , Sfc-i are the k secrets, then the polynomial to 
be constructed is: 

q{x) = So + Six + S2X^ + . . . + Sk^ix'^^^. 

Here, we have to ensure that the coefficient of the highest power of x is non-zero, 
i.e., Sk-i 7^ 

2. Compute the values of q{x) at n different values of x, say xq, xi, Xn-i 
and distribute them as shares (xo,6o), (xi,6i), where hi = 
Q{xi),0 < i < n — 1. 

3. Reconstruction of secrets could be carried out using any k of the values generated 
in step [2] above, by solving for s^s or obtaining q{x) through interpolation. 

The aforementioned scheme works for all possible set of secrets except in the 
trivial case of all secrets being equal to 0. Through this scheme, we have attained 
the optimal (n/k) blow up factor in total storage size, i.e., storing k secrets, each 
of length d, demands only a storage space of d.n. Besides, it eliminates the need for 
random coefficients for powers of x as secrets themselves are assumed here to be truly 
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random. If at all the secrets are not random but follow a certain distribution, they 
could be randomised suitably (using a hash function) for serving our purpose. 

Further, this scheme could be extended to implement a (m, n) scheme for sharing 
k secrets, where m > k. This could be achieved by involving random coefficients for 
powers, j of x, where k < j < ni. 

Such a design is free of the constraint of the algorithm in [3], where only a (fc, n) 
scheme could be implemented with k — 1 secrets. Besides, the method in [3] involves 
k — 1 interpolations for reconstruction of secret since it uses a recursive scheme. After 
each interpolation, a polynomial is obtained with the free term corresponding to one 
of the secrets. The proposed method, on the other hand, uses just one interpolation. 
Thus it has improved space efficiency and is faster in share generation as well as 
reconstruction. 

In this method, since the secrets themselves are assumed to be truly random by 
nature, they are equivalent to the random coefficients in [T]. Since, Shamir's scheme 
is unconditionally secure, so is this scheme. 

Sharing a very large secret 

The algorithm proposed above could be extended to conventional schemes like [Ij to 
eliminate the need for random values. It provides computational security in cases 
where the length of the secret is very big and causes storage and computation in- 
convenience. The algorithm in [6] was originally meant to serve this purpose. It is 
implemented in the following manner: 

A large secret of length, say 20000 bits, has to be shared among n people such that 
any 10 of them can reconstruct the secret. Then, instead of using random coefficients 
for the 9 powers of x, namely, ^, the 20000 bit secret is split into 10 

pieces 2000 bits each. These are then used as the coefficients of the powers of x from 
0{x^, free term) to 9(x^). The possible values of the secret now span Zp, where p 
is of the order of 2000 bits instead of 20000 bits. The advantages of this kind of 
implementation are: 

• Primes of the order of 2000 bits are easier to find and use compared to 20000 
bits. 

• Share generation and interpolation for reconstruction are faster. 

• It saves storage space. 

However, note that the search space for a brute force search has now reduced. 

5 Curious cases of insecurity 

In this section we consider a couple of cases wherein the opponent (Eve) is assumed 
to possess partial information about the secrets. The proposed scheme as well as the 
scheme in [2] are seen to fail under these assumptions. The failure could be attributed 
to them not employing random values. 
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Case 1: 



Here we elaborate a case in which the modified Krawczyk's scheme we proposed 
fails. The scheme was shown to be as much secure as Shamir's scheme under the 
assumption that the secrets themselves are truly random; i.e., they come from a 
uniform distribution over Zp. However, this may not really be the case. Suppose the 
set of secrets is known to come from a set whose members are much smaller than p 
that modular arithmetic does not come into play at all. 

Consider a {k, n) scheme. Let the the polynomial be q{x) and prime p we use be 
large (compared to secrets). Assume that Eve happens to learn that the k secrets are 
all less than some r, r « p. 

q{x) = ak-ix^~^ + . . . + a2X^ + aix + ao 

Now, Eve being a share-holder as well, gets some arbitrary share {u,q{u)) at x = u. 
Knowing that the secrets, i.e., the coefficients ak-i, . . . , a2, ai, oq are all less than or 
equal to r. Eve infers that: 

If q{u) is a multiple of u, then the secret ao is a multiple of u. The 
converse is also true. 

Let us examine why this is so. q{u) is the value of q{x) sampled at x = u. Thus, 
q{u) = ak-iu^~^ + . . . + a2U^ + aiu + oq. All the terms on the RHS (excluding oq) 
being multiples of powers of u are obviously multiples of u. If LHS namely q{u), is 
a multiple of u, it implies ao is a multiple of u as well and vice versa. For example. 
Suppose q{x) = 4x^ + Sx^ + 2x + 15 and p = 999961. Note that ao = 15. 

g(3) = 108 + 27 + 6 + 15 mod 999961. 

q{3) = 156 mod 999961. 

q{3) = 156 is a multiple of 3 <^=^> ao is a multiple of 3. 
Suppose q{x) = + Sx^ + 2a; + 14 and p = 999961. Note that ao = 14. 
g(3) = 108 + 27 + 6 + 14 mod 999961. 
q{3) = 155 mod 999961. 

g(3) = 155 is NOT a multiple of 3 ao is NOT a multiple of 3. 

Thus, in cases where the opponent knows that all the secrets are much smaller than 
the publicly known p and are all less than some r, she can safely assume that the 
statement above is true. If q{u) is a multiple of u, the search space (number of choices 
for the secret) for ao is reduced from r to the set of multiples of u less than or equal 
to r. i.e., from r to [r/uj + 1. If q{u) is NOT a multiple of u, the search space for ao 
is reduced to r — [r/ttj — 1. 

Such a problem does not occur with conventional Shamir's scheme since in that 
one, even if the secret is known to be less than or equal to r, the coefficients used 
are random (and distributed over the whole Zp) and hence the divisibility argument 
does not hold. Thus, even when the opponent knows that the secret is less than or 
equal to r, the brute force search space is still r and not reduced. 
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Case 2: 



This case establishes the failure of the scheme we proposed as well as the scheme 
in [2]. Suppose a set of k secrets from Zp has been shared using the scheme proposed 
in [2] among a set of people R, the polynomial be q{x). Another set of secrets from 
Zp, which are all some d times the secrets in the first set are shared among a set 
of people S, the polynomial be r(x). Let Eve be one of the share holders in R but 
not S and she gets some arbitrary share {u,q{u)). She can immediately infer that 
r{u) = d.q{u) (mod p). 

For example, suppose we want to share 3 secrets taken from a finite field Zp among 
a set of people R. Let sq, si, S2 be the secrets. Interpolation is performed as follows: 

a(T\ - 9n , (x-0)(x-2) (x-0)(x-l) , . . 

Q{x) - so-(o_i)(o-2) + ■Si- (i-o)(i-2) + ■52-(2_o)(2-i) ^mocl p). 

If the secrets to be shared among the second set S are d.so,d.si and d.S2 from Zp, 
then the polynomial is as: 

r(x) -dsn + d Si + d so fmod 

'^V-^'' ~ "-^O- (0-l)(0-2) ^ (l-0)(l--2) ^ "-^S- (2-0)(2--l) PJ- 

^ r(x) = d.q{x) (mod p). 

Thus, being in possession of q{u), Eve can participate in the reconstruction of the 
secret shared among the people in the second set S since r{u) = d.q{u) (mod p). 
Although Eve is authorised to participate only in the reconstruction of secret shared 
among the first set R, she can use the partial information (that the secrets are mul- 
tiples of each other) to her advantage due to the flaw in the scheme. Note that such 
a problem does not arise with Shamir's scheme (which shares a single secret) since it 
employs random coefficients and hence the polynomial is not completely determined 
by the secret. The shares generated even for related secrets could be totally unrelated 
in Shamir's scheme. 



The problems pointed out in the cases above are due to the fact that both the 
schemes do away with random numbers. We observe that in special cases as these, 
to share k secrets it is advisable to use Shamir's scheme k times to generate k shares. 
Such an implementation, although not space efficient is perfectly secure. 



6 Conclusion 

We have pointed out the vulnerabilities of an existing secret sharing scheme. We 
have demonstrated clearly that there is no reason to choose a scheme which fails for 
a certain percentage of cases when there is an obvious better alternative solution 
which works for all possible cases. We have also proposed a couple of new modes of 
attack under certain assumptions and have thus assessed the role of random values 
in strengthening a scheme. The modes of attack proposed could prove to be useful 
elsewhere as well. 
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